In 2007, the FBI was tracking down a series of bomb threats against Timberline High School, originating from an anonymous MySpace page. To break through that anonymity, agents had to get creative — but new documents suggest that in catching the culprit, the FBI may have committed a crime of its own.
Documents uncovered by the Electronic Frontier Foundation show that the FBI created a fake web page designed to look like a Seattle Times article, and used the page to spread tracking malware onto the suspect's computer. Creating dummy pages is a common way to spread malware — typically known as spoofing — but it's more common among criminals than law enforcement, and many are already interpreting the fake page as an attack on the press. "We are outraged that the FBI, with the apparent assistance of the U.S. Attorney’s Office, misappropriated the name of The Seattle Times," a Times editor told the paper. "Not only does that cross a line, it erases it." The Associated Press called the tactic "unacceptable," and said "this ploy violated AP’s name and undermined AP’s credibility."
That the FBI impersonated a newspaper's website to deliver malware to a target is outrageous. Over the top crazy.— Christopher Soghoian (@csoghoian) October 27, 2014
Called CIPAV, the FBI's spyware tool is designed to harvest a computer's IP address, MAC address, and most recent session login — effectively identifying the person who visited the page. In this case, agents sent a message to the suspect's Myspace page, containing a link to the dummy article. Once the suspect clicked on the link, the page covertly uploaded CIPAV to the suspect's computer, leading agents back to the person running the page. But there's still a lot of secrecy surrounding the CIPAV tool, particularly the bureau's protocols for deploying the spyware. Today's revelations suggest they may be covering up some unsettling tactics.
10/28 12:31pm ET: Updated to include Associated Press statement.